package light.head.framework.interceptor;

import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import light.head.config.ConfigParm;
import light.head.constant.Msg;
import light.head.constant.Parm;
import light.head.constant.Sys;

import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/**
 * 网站及后台都需要使用的Controller
 * @author jianhang
 */
public class BaseInterceptor extends HandlerInterceptorAdapter {
	
	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
		request.setAttribute(Parm.CONTEXT_PATH, ConfigParm.getContextPath());
		if (null == handler) {
			request.setAttribute(Sys.INFO, Msg.PERMISSION_DENIED);
			request.getRequestDispatcher(Msg.ERROR).forward(request, response);
			return false;
		}
		
		String method = request.getMethod();
		// 对访问方法进行拦截 , 防 http trace 方法
		if (!method.toUpperCase().equals("POST") && !method.toUpperCase().equals("GET")) {
			// 非法的访问方式
			return false;
		}
		
		// getContextPath + 访问路径
		String disPath = request.getRequestURI();
		
		// 过滤后台
		if (!disPath.contains("/m/")) {
			// 对提交的字符进行处理
			// 对所有的参数都进行过滤
			String requestStr = getRequestPath(request);
			if (guolv2(requestStr) || guolv2(request.getRequestURL().toString())) {
				if (!disPath.contains("/app/")) {
					response.sendRedirect(ConfigParm.getContextPath() + "index.html");
				}
				return false;
			}
			// 对参数处理
			String[] temp = null;
			Map<String, String[]> pMap = request.getParameterMap();
			for (String key : pMap.keySet()) {
				temp = pMap.get(key);
				for (int i = 0; i < temp.length; i++) {
					temp[i] = guolv(temp[i]);
				}
			}
		}
		
		return true;
	}
	

	private static String NONE = "";
	
	
	private String getRequestPath(HttpServletRequest request) {
		String requestPath = request.getServletPath().toString();
		String queryString = request.getQueryString();
		if (null == queryString || NONE.equals(queryString)) {
			return requestPath;
		} else {
			return requestPath + "?" + queryString;
		}
	}
	
	
	
	/**
	 * 对字符串的替换
	 *@param str	要处理的字符串
	 *@return
	 *@author yangguanghe [2015-11-6_下午7:22:39]
	 */
	private static String guolv(String str) {
		if (null == str || NONE.equals(str)) {
			return str;
		}
		// |_&_;_$_%_@_'_"_\'_\"_<>_()_+_CR_LF_,_\
		// |_&_;_$_%_@_%27_%22_\%27_\%22_%3C%3E_()_+_CR_LF_,_\
		// %7C_%26_%3B_%24_%25_%40_%27_"_%5C%27_%5C"_<>_()_%2B_CR_LF_%2C_%5C
		
		str = str.replaceAll("|", NONE);
		str = str.replaceAll("&", NONE);
		str = str.replaceAll(";", NONE);
		str = str.replaceAll("$", NONE);
		str = str.replaceAll("%", NONE);
	//	str = str.replaceAll("@", NONE);
		str = str.replaceAll("\'", NONE);
		str = str.replaceAll("\"", NONE);
		str = str.replaceAll("<", NONE);
		str = str.replaceAll(">", NONE);
		str = str.replaceAll("\\(", NONE);
		str = str.replaceAll("\\)", NONE);
		str = str.replaceAll("CR", NONE);
		str = str.replaceAll("LF", NONE);
		str = str.replaceAll(",", NONE);
		//str = str.replaceAll("\\", NONE);
		
		//str = str.replaceAll("%7C", NONE);
		str = str.replaceAll("%26", NONE);
		str = str.replaceAll("%3B", NONE);
		str = str.replaceAll("%24", NONE);
		str = str.replaceAll("%25", NONE);
		str = str.replaceAll("%40", NONE);
		str = str.replaceAll("%27", NONE);
		str = str.replaceAll("%22", NONE);
		str = str.replaceAll("%5C%27", NONE);
		str = str.replaceAll("%5C%22", NONE);
		str = str.replaceAll("%3C", NONE);
		str = str.replaceAll("%3E", NONE);
		str = str.replaceAll("%2B", NONE);
		//str = str.replaceAll("%2C", NONE);
		str = str.replaceAll("%5C", NONE);

		//str = str.replaceAll("%7c", NONE);
		str = str.replaceAll("%26", NONE);
		str = str.replaceAll("%3b", NONE);
		str = str.replaceAll("%24", NONE);
		str = str.replaceAll("%25", NONE);
		str = str.replaceAll("%40", NONE);
		str = str.replaceAll("%27", NONE);
		str = str.replaceAll("%22", NONE);
		str = str.replaceAll("%5c%27", NONE);
		str = str.replaceAll("%5c%22", NONE);
		str = str.replaceAll("%3c", NONE);
		str = str.replaceAll("%3e", NONE);
		str = str.replaceAll("%2b", NONE);
		//str = str.replaceAll("%2c", NONE);
		str = str.replaceAll("%5c", NONE);
		
		str = str.replaceAll("and", NONE);
		str = str.replaceAll("or", NONE);
		str = str.replaceAll("1=1", NONE);
		str = str.replaceAll("AND", NONE);
		str = str.replaceAll("OR", NONE);
		return str;
	}
	
	private static boolean guolv2(String s) {
		if (null != s && !NONE.equals(s)) {
			if (s.contains("%3b") 
					|| s.contains("%%")
					|| s.contains("%3B")
					|| s.contains("%24")
					|| s.contains("%25")
					|| s.contains("%40")
					|| s.contains("%27")
					|| s.contains("%22")
					|| s.contains("%5c")
					|| s.contains("%5C")
					|| s.contains("%5c%27")
					|| s.contains("%5c%22")
					|| s.contains("%3c")
					|| s.contains("%3C")
					|| s.contains("%3e")
					|| s.contains("%3e")
					|| s.contains("%2b")
					|| s.contains("%2B")
					|| s.contains("<")
					|| s.contains(">")
					|| s.contains("\'")
					|| s.contains("\"")
					|| s.contains("+")
					|| s.contains("(")
					|| s.contains(")")
					|| s.contains("|")
				//	|| s.contains("@")
					|| s.contains("'")
					|| s.contains("\"")
					|| s.contains("$")
					|| s.contains(",")
					|| s.contains(";")
					|| s.contains("~")) {
				return true;
			}
		}
		return false;
	}
	
}
